Network Access Control Lists (NACL)

A network access control list (ACL) is a layer of security for your VPC that acts as a virtual firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

NACL rules (IOADC)

rule is either Inbound or Outbound

rule can specify ALLOW or DENY

inbound rule has source CIDR outbound rule has destination CIDR

When you create a VPC a default NACL is created

Default NACL allows all inbound and outbound traffic.

All subnets created are assigned this default NACL.

We can create new custom NACLs and change the association from default to custom NACL at subnet level. By default a custom NACL DENYs all inbound and outbound traffic.

Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

A subnet can have only one NACL associated at any given time unlike Security Groups, where multiple SGs can be assigned to an EC2 instance

One NACL can be associated with multiple subnets. For example the default NACL is assigned whenever a new subnet is created.

Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it. The highest number that you can use for a rule is 32766.

NACLs rules are applied first before applying security group rules

NACLs are stateless

Example: If you allow HTTP inbound in a NACL, this does not automatically ALLOW HTTP outbound. You need to explicitly ALLOW HTTP outbound as well.

This is different from the security groups, which are stateful. In a SG, Once you allow HTTP inbound (request), the request’s corresponding outbound HTTP (response) is automatically allowed even if there is no such rule created.

Use ephemeral (temporary) ports on outbound rules only

You can DENY (block) ip addresses using NACLs. This is not possible thru SGs. SGs only ALLOW. So if you want to BLOCK IP address then do it in the ACL, because security group doesn’t have deny rules.